[Jochen]

Microsoft untersucht derzeit eine gemeldete Sicherheitsanfälligkeit im FTP-Dienst in Microsoft Internet Information Services (IIS) 5.0, 5.1 und 6.0.

Weitere Infos findet Ihr in der Mail unten (engl.) oder demnächst auf Microsoft-Sicherheitsempfehlungen - Security Advisories (dt).

_____________________________
What is the purpose of this alert?
This alert is to notify you that Microsoft has released Security Advisory 975191 - Vulnerability in Internet Information Services FTP Service Could Allow for Remote Code Execution - on September 1, 2009.

Summary

Microsoft is investigating new public reports of a vulnerability in the FTP Service in Microsoft Internet Information Services (IIS) 5.0, Microsoft Internet Information Services (IIS) 5.1, and Microsoft Internet Information Services (IIS) 6.0. The vulnerability could allow remote code execution on affected systems that are running the FTP service and are connected to the Internet.

Microsoft is aware that detailed exploit code has been published on the Internet for this vulnerability. Microsoft is not currently aware of active attacks that use this exploit code or of customer impact at this time. However, Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.

We are actively working with partners in our Microsoft Active Protections Program<http://www.microsoft.com/security/msrc/mapp/overview.mspx> (MAPP) to provide information that they can use to provide broader protections to customers.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. This vulnerability was not responsibly disclosed to Microsoft and may put computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.

Mitigating Factors

* FTP service is not installed by default on all supported editions of Windows XP or Windows Server 2003. However, FTP service is installed by default on all supported editions of Microsoft Windows 2000 and all supported editions of Windows Small Business Server 2003.

* Affected systems are not vulnerable unless untrusted FTP users are granted write access. By default, FTP users are not granted write access.

* IIS 6.0 is at reduced risk because it was compiled using the /GS compiler option. This does not remove the vulnerability but does make exploitation of the vulnerability more difficult.

Affected Software

The security advisory discusses the following software.

Affected Software
Operating System Component
Microsoft Windows 2000 Service Pack 4 Microsoft Internet Information Services 5.0
Windows XP Service Pack 2 and Windows XP Service Pack 3 Microsoft Internet Information Services 5.1
Windows XP Service x64 Edition Service Pack 2 Microsoft Internet Information Services 6.0
Windows Server 2003 Service Pack 2 Microsoft Internet Information Services 6.0
Windows Server 2003 x64 Edition Service Pack 2 Microsoft Internet Information Services 6.0
Windows Server 2003 with SP2 for Itanium-based Systems Microsoft Internet Information Services 6.0
Non-Affected Software
Operating System Component
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 Microsoft Internet Information Services 7.0
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 Microsoft Internet Information Services 7.0
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 Microsoft Internet Information Services 7.0
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 Microsoft Internet Information Services 7.0
Windows 7 for 32-bit Systems Microsoft Internet Information Services 7.5
Windows 7 for x64-based Systems Microsoft Internet Information Services 7.5
Windows Server 2008 R2 for x64-based Systems Microsoft Internet Information Services 7.5
Windows Server 2008 R2 for Itanium-based Systems Microsoft Internet Information Services 7.5

Recommendations

Review Microsoft Security Advisory 975191 for an overview of the issue, details on affected components, mitigating factors, suggested actions, frequently asked questions (FAQs), and links to additional resources.

Customers who believe they are affected can contact Customer Service and Support (CSS) in North America for help with security update issues or viruses at no charge using the PC Safety line (866) PCSAFETY. International customers can contact Customer Service and Support by using any method found at Worldwide Computer Security Information - Microsoft Security.

Additional Resources

* Microsoft Security Advisory 975191 - Vulnerability in Internet Information Services FTP Service Could Allow for Remote Code Execution: http://www.microsoft.com/technet/sec...ry/975191.mspx

* Microsoft Knowledge Base Article 975191: Microsoft Security Advisory: Vulnerability in Internet Information Services FTP Service could allow for remote code execution

* Microsoft Security Response Center (MSRC) Blog: The Microsoft Security Response Center (MSRC)

* Microsoft Malware Protection Center (MMPC) Blog: Microsoft Malware Protection Center

* Microsoft Security Research & Defense (SRD) Blog: Security Research & Defense

* Microsoft Security Development Lifecycle (SDL) Blog: The Security Development Lifecycle

Regarding Information Consistency

We strive to provide you with accurate information in static (this mail) and dynamic (Web-based) content. Microsoft's security content posted to the Web is occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in Microsoft's Web-based security content, the information in Microsoft's Web-based security content is authoritative.

Thank you,
Microsoft CSS Security Team